What does it stand for?: Identity and Access Management
What do you use it for?: To control who is authenticated (signed in) / authorised (has permissions) to use AWS resources.
Cost: There is no charge to use IAM at the time of writing.
Features ๐น
- Gives you centralised control over your AWS account
- Shared access - You can grant other people permission to administer and use resources in your AWS account
- Granular permissions - You can grant different people different permissions depending on what they need access to.
- Give your apps that run on EC2 secure access to other AWS resources such as S3 buckets and DynamoDB tables.
- Users can sign into AWS with services such as Active Directory and Facebook through Identity Federation
Core Concepts ๐ค
I've picked out some main concepts within IAM - understanding what these are should help you get a better idea of how IAM all fits together.
User: The people logging into the AWS console and interacting with AWS through the API/CLI/SDK.
Resource: An object that exists within an AWS service, this could be anything from an S3 bucket to an EC2 instance.
Group: A collection of users under one set of permissions.
E.g. Marketing may need access to write files to a certain S3 bucket, to achieve this you could create a group with the required S3 permissions and then add Marketing team members into that group.
Role: A group of permissions that determine what can and cannot be accessed.
Can be assigned to users or AWS resources e.g. an EC2 instance.
Policy: A document that defines one or more permissions.
Can be attached to a user, group, role or resource.
What is the root account? ๐จ
The root account is the AWS account that you use to sign into the console when you first set up your account. It is recommended that you do not use this account to manage AWS as it has admin access to everything! Instead be sure to set up an IAM User for each person who needs access and assign them only the permissions in which they need.
- You should set up Multi-Factor auth on the root account for extra security.
Did you know? ๐ญ
- IAM is global meaning you can't have region specific identities such as roles.
- By default a new user has no permissions.
- When creating a user you can choose an access type such as:
- Console: Can log in to the AWS console
- Programmatic: Can authenticate over the AWS API, CLI, SDK
- After creating a user you will get an Access Key ID and Secret Access Key which can be used for interacting programmatically (API, CLI, SDK), after moving away from the page where these are displayed you will need to regenerate these to see them again.
- You can create your own password reset policy that will enforce users reset their passwords every X days and define how strict passwords should be.
- If you use AWS CloudTrail you can receive logs that detail who made requests for your resources.
Thank you for taking the time to read this blog post. I learn better when writing stuff down, which is why I have transformed my notes into this blog article so that the community can benefit also. If you learned something new or found this useful please leave a reaction ๐ ๐ฅ ๐ฆ ๐ to let me know! - Keep bloggin' โ๏ธ - Naz
Would you like to see something else in this post or have an idea for a future blog post? Let me know in the comments!